Hack The Box is a popular platform for pentesters and cybersecurity professionals that offers training machines to practice their skills. In this article, we will look at how to beat the Compromised machine using real-world hacking techniques.
We publish solutions to problems aimed at completion from the HackTheBox platform. These materials are aimed at supporting the development of skills in the field of information security.
Access to the lab is via VPN. It is recommended to use a device on which there is no important data, as the connection is made to a private network with participants who have significant experience in the field of information security.
This machine has an IP address of 10.10.10.204, which I add to /etc/hosts.
10.10.10.207 compromised.htb
First, a scan for open ports is performed. This is done using a script that takes one argument — the address of the host being scanned:
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
Let’s take a look at the site.
Only CMS LiteCart was detected. Next, the directories are scanned using the gobuster tool.
gobuster dir -t 128 -u http://compromised.htb/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x html,php
We find an interesting directory called backup, and in it is an archive.
This archive contains the source codes of the site.
Among these files, we find a mention of a file hidden on the server.
The file contains administrator credentials.
Авторизуємося.
After studying this CMS, we find an RCE exploit.
However, the tool does not work properly.
The exploit code is being analyzed, which uses a system function that is presumably blocked.
To check for blocked functionality, the load is changed and phpinfo is called to get a list of prohibited functions.
We see a large list of such functions. We can use this code to bypass these blocks.
Let’s change the exploit code to calculate and send new PHP code.
And this code works.
Let’s look at the users and notice that mysql has bash.
To obtain a convenient shell, the webwrap tool is used.
Because MySQL supports shell commands, the service can be used as a regular user. This is done by executing commands directly through MySQL. The credentials for accessing the database are usually stored in the system configuration files.
Now that the credentials have been obtained, let’s test the mysql functions.
SSH keys are generated, and the public key is added to the service’s home directory. This is done using the exec cmd command, which allows you to perform the necessary actions directly from MySQL.
mysql -u root --password=changethis -e "select execcmd('echo ssh-rsa AAAAB3NzaC1yc2EAAAADA/ ... 6GuPNZGryVNovs= ralf@ralf-PC > ~/.ssh/authorizedkeys');"
We log in via SSH.
You can also view system logs, where passwords are often stored or appear. Analyzing the logs can reveal credentials that can be used to further access the system.
Let’s try to change the user with the found password.
find . -mtime -100 2>/dev/null
A hidden library pamunix.so, which is likely a backdoor, has been detected. A similar legitimate version of this library is also present on the system. For further analysis, the suspicious file is downloaded to verify its contents and functionality.
scp [email protected]:/lib/x8664-linux-gnu/security/.pamunix.so ~/tmp/
Throw it into a disassembler (I used Cutter).
Let’s see where this line is used.
During the library analysis, it observes a comparison of the password with hexadecimal values representing half of the string.
An attempt to use the found string as a password for the root user is successful, allowing full access to the system with superuser privileges. This confirms the presence of a backdoor integrated into the system via a suspicious library.